Reporting Website Vulnerabilities

TL;DR

The best way to alert a website owner of a vulnerability is usually through their security policy (if they have one), or by contacting them directly via email. Be clear, concise, and avoid demanding payment.

1. Check for a Security Policy

1. Look for a ‘Security’ page: Many websites have a dedicated page outlining how to report security issues. This is often found in the footer of the website or within their help/support section.
2. Check the robots.txt file: Sometimes, contact information for security reports is included here. You can find this by visiting https://www.example.com/robots.txt (replace ‘example.com’ with the actual website address).
3. Look for a PGP key: If they want secure communication, they may publish a PGP public key on their security page. This allows you to encrypt your report.

2. Contacting the Website Owner Directly

1. Find an email address: Look for ‘contact’, ‘info’, or ‘support’ emails on the website. Avoid using generic ‘webmaster@…’ addresses if possible, as these are often unmonitored.
2. Craft a clear and concise email: Keep your message professional and to-the-point. Include the following:
   • Subject Line: “Security Vulnerability Report – [Website Name]”
   • Description of the vulnerability: Explain what you found in simple terms, avoiding technical jargon where possible.
   • Steps to reproduce: Provide clear instructions on how they can verify the issue themselves.
   • Potential impact: Briefly explain what could happen if the vulnerability is exploited.
   • Your contact information: Include a way for them to reach you for further discussion.
   • Disclosure timeline (optional): If you have a preferred timeframe for disclosure, state it politely. For example, “I would appreciate a response within 30 days.”
3. Example Email:

   Subject: Security Vulnerability Report - Example Website
   
   Dear [Website Owner/Security Team],
   
   I am writing to report a potential security vulnerability on your website, example.com.
   
   Description:
   The search functionality allows for cross-site scripting (XSS) attacks through unfiltered user input.
   
   Steps to Reproduce:
   1. Visit https://www.example.com/search?q=
   2. Observe that an alert box appears, demonstrating the execution of JavaScript code.
   
   Potential Impact:
   A malicious actor could inject harmful scripts into your website, potentially stealing user data or defacing the site.
   
   Please let me know if you require any further information. I can be reached at youremail@example.com.
   
   Sincerely,
   [Your Name]

3. What *Not* To Do

1. Don’t demand payment: Asking for a bounty without prior agreement is generally frowned upon and can be illegal in some jurisdictions.
2. Don’t publicly disclose the vulnerability before it’s fixed: This puts users at risk. Give the website owner reasonable time to address the issue.
3. Don’t exploit the vulnerability further: Stop testing once you have confirmed its existence and can reproduce it reliably. Further exploitation could be considered illegal.
4. Avoid overly technical language: Remember that the recipient may not be a security expert.

4. Responsible Disclosure

Responsible disclosure means giving the website owner a reasonable amount of time to fix the vulnerability before publicly revealing it. A typical timeframe is 90 days, but this can vary depending on the severity of the issue and their response.